On 24 March, the Court of Justice for the European Union (CJEU) heard argument on a case that could significantly impact, if not invalidate altogether, the Safe Harbor framework that facilitates the flow of personal data from the European Union (EU) to the US. The Plaintiff in the case, supported by the governments of three EU member nations (Austria, Belgium and Poland), contends that the Safe Harbor program no longer protects the privacy of Europeans when their personal data is transmitted to the U.S. The outcome could force U.S. companies to significantly alter the way they handle personal data from the EU. Billions of dollars and euros may be at stake.
What is the Safe Harbor Framework?
The European Commission’s Directive on Data Protection became effective in October of 1998, and prohibits the transfer of personal data to non-EU countries that do not meet the EU “adequacy” standard for privacy protection. The US government rather delicately notes that, “[w]hile the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU.” In less diplomatic terms, the EU considers the patchwork of privacy protections in the U.S. to be “lower” than those in the EU, if not generally inadequate. Thus, without more, the EU Directive would prevent companies from transferring personal data to the U.S., and could subject those companies to prosecution for doing so in the face of the Directive. The Safe Harbor was developed as a stopgap work-around measure in light of these different “approaches”.
The Safe Harbor framework provides a method for U.S. companies to transfer personal data outside the EU in a way that’s deemed “consistent” with the EU Data Protection Directive and avoid prosecution by EU member states for violating EU privacy laws. To join the Safe Harbor, a U.S. company must self-certify to the Department of Commerce that it complies with EU standards. The FTC enforces the promise that companies make when they certify that they participate in the Safe Harbor. Last year, the FTC brought and resolved enforcement actions against a dozen U.S. companies for falsely claiming to comply with the Safe Harbor program.
Currently, more than 5,000 companies are listed as participating in the Safe Harbor, across a broad spectrum of industries. For U.S.-based Internet companies (e.g., Facebook, Google, Microsoft, Amazon, Apple, etc.) who collect personal data in Europe and transmit it to servers in the United States, the Safe Harbor is an essential element in their data transfer operations.
Why is the Safe Harbor under Attack?
Fall-Out From the NSA PRISM Program
For several years now, some EU Data Protection Authorities (DPAs) have raised objections about third-party access to personal data transferred under the Safe Harbor from the EU to the U.S. EU criticism increased exponentially following Edward Snowden’s unauthorized disclosure in mid-2013 of PRISM, the National Security Agency’s surveillance program that reportedly gave it access to EU personal data that was transferred to the U.S. under the Safe Harbor.
The fall-out from the PRISM program disclosure has resulted in not only increased scrutiny of the Safe Harbor by the EU Commission, but also in judicial activity focused on whether the Safe Harbor has been invalidated due to PRISM.
EU Commission Recommendations to Update the Safe Harbor
On November 27, 2013, following the controversial disclosure of the NSA’s PRISM surveillance program, the EU Commission issued a report on EU – U.S. data transfers, including a review of the Safe Harbor. It made 13 recommendations to improve the data protection guarantees of the Safe Harbor, 12 of which the United States has addressed. Continued access by the U.S. government to EU citizen personal data remains a point of contention and has not been settled.
EU Lawsuit Challenging the Legitimacy of the Safe Harbor Program
More recently, a lawsuit was filed in Ireland, and then referred to the Court of Justice for the European Union (the EU’s equivalent of our Supreme Court). The Plaintiff essentially argues that U.S. companies participating in the Safe Harbor do not provide adequate privacy protection for EU personal data transferred to the U.S., due to the NSA’s ability to access such data in the U.S. Background on the case is nicely summarized in an EU Law blog.
In a nutshell, the Plaintiff asked the Irish Data Protection Commissioner to investigate and bar Facebook Ireland from sending his personal data to Facebook in the U.S., on the grounds that the U.S. laws and practices (i.e., PRISM) don’t adequately protect his personal data. The Irish Data Commissioner refused to investigate the claim, given Facebook’s participation in the Safe Harbor program and the earlier EU determination that participation the Safe Harbor meant that EU personal data would, in fact, receive adequate privacy protection in the U.S. The claim was appealed to the Irish High Court, which, in turn, asked the CJEU to decide the following issues, which are summarized as follows:
If someone claims that the laws and practices of the United States do not provide adequate protection of EU privacy rights, may the Irish Data Protection Commissioner investigate that claim, or is he precluded from doing so because when the Safe Harbor Framework was established in 2000, compliance with its requirements was deemed sufficient to ensure adequate protection?
Alternatively, may the Irish Data Commissioner conduct an investigation of factual developments since the Safe Harbor program was enacted in 2000?
There are a number of different paths the CJEU could take in deciding the case. The Plaintiff and a number of other interested parties have argued to the Court that, based on the widespread U.S. data surveillance programs that also collect EU personal data, the Safe Harbor program is now invalid under EU law and should be annulled or stricken. However, given the particular questions referred to it by the Irish High Court, it is arguably neither necessary nor appropriate for the CJEU to broadly rule on the validity of the Safe Harbor program. Instead, it could simply address the question of whether the Irish Data Protection Commissioner may investigate the claim made by the Plaintiff against Facebook Ireland. The CJEU could also deny the appeal and leave the Safe Harbor program in the status quo, perhaps with the idea that there could be a political compromise between the U.S. and EU that would resolve the issue and guarantee the continued efficient flow of data across the Atlantic.
There is little doubt that, if so inclined, the CJEU would find the NSA PRISM surveillance program to be contrary to EU fundamental privacy rights. After all, in a recent ruling on the propriety of retaining a mass collection of metadata for six months to two years, the CJEU found that such a practice violated Article 8 of the European Charter of Fundamental Rights. Compare that to the PRISM program, which collected not only metadata but actual content data on a mass scale for indeterminate time periods, without any right for non-U.S. citizens to seek U.S. court intervention.
Notably, last May the same Court decided that a “right to be forgotten” applies to search engines like Google Inc.
What If the Safe Harbor Get Sunk?
Without the Safe Harbor framework, data transfer from the EU to the US would not be impossible – just more expensive and time consuming. Alternative methods exist under Article 26 of the Directive. Binding Corporate Rules or model contracts for the transfer of personal data outside the EU for every data transfer are options, but they are more resource (money and time) intensive and much less efficient than the Safe Harbor process. U.S. companies could also choose to keep all EU personal data within the EU, by building more data storage capacity within the EU.
One realpolitik consideration for the EU is that disrupting the data flow between the U.S. and EU (by derailing the Safe Harbor) could have a significant recessionary effect on the EU’s GDP – according to studies cited by the European Commission.
[UPDATE] It has been reported that at the conclusion of today’s hearing, the CJEU stated that it will decide the case by 24 June.